os: Make sure big requests have sufficient length.
A client can send a big request where the 32B "length" field has value 0. When the big request header is removed and the length corrected, the value will underflow to 0xFFFFFFFF. Functions processing the request later will think that the client sent much more data and may touch memory beyond the receive buffer. Signed-off-by: Eric Anholt <eric@anholt.net> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
This commit is contained in:
parent
c2f2b25ab5
commit
9c23685009
5
os/io.c
5
os/io.c
|
@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client)
|
|||
if (!gotnow)
|
||||
AvailableInput = oc;
|
||||
if (move_header) {
|
||||
if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
|
||||
YieldControlDeath();
|
||||
return -1;
|
||||
}
|
||||
|
||||
request = (xReq *) oci->bufptr;
|
||||
oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
|
||||
*(xReq *) oci->bufptr = *request;
|
||||
|
|
Loading…
Reference in New Issue
Block a user